RubyGems - ae_declarative_authorization - Versions diffs - 0.7.0 → 0.7.1 - Mend

ae_declarative_authorization 0.7.0 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

checksums.yaml +4 -4
data/Appraisals +21 -21
data/CHANGELOG +189 -189
data/Gemfile +7 -7
data/Gemfile.lock +45 -45
data/LICENSE.txt +20 -20
data/README.md +620 -620
data/README.rdoc +597 -597
data/Rakefile +33 -33
data/authorization_rules.dist.rb +20 -20
data/declarative_authorization.gemspec +24 -24
data/gemfiles/rails4252.gemfile +10 -10
data/gemfiles/rails4271.gemfile +10 -10
data/gemfiles/rails507.gemfile +11 -11
data/init.rb +5 -5
data/lib/declarative_authorization.rb +18 -18
data/lib/declarative_authorization/authorization.rb +821 -821
data/lib/declarative_authorization/helper.rb +78 -78
data/lib/declarative_authorization/in_controller.rb +713 -713
data/lib/declarative_authorization/in_model.rb +156 -156
data/lib/declarative_authorization/maintenance.rb +215 -215
data/lib/declarative_authorization/obligation_scope.rb +345 -345
data/lib/declarative_authorization/railsengine.rb +5 -5
data/lib/declarative_authorization/reader.rb +549 -549
data/lib/declarative_authorization/test/helpers.rb +261 -261
data/lib/declarative_authorization/version.rb +3 -3
data/lib/generators/authorization/install/install_generator.rb +77 -77
data/lib/generators/authorization/rules/rules_generator.rb +13 -13
data/lib/generators/authorization/rules/templates/authorization_rules.rb +27 -27
data/lib/tasks/authorization_tasks.rake +89 -89
data/test/authorization_test.rb +1121 -1121
data/test/controller_filter_resource_access_test.rb +573 -573
data/test/controller_test.rb +478 -478
data/test/database.yml +3 -3
data/test/dsl_reader_test.rb +178 -178
data/test/functional/filter_access_to_with_id_in_scope_test.rb +88 -88
data/test/functional/no_filter_access_to_test.rb +79 -79
data/test/functional/params_block_arity_test.rb +39 -39
data/test/helper_test.rb +248 -248
data/test/maintenance_test.rb +46 -46
data/test/model_test.rb +1840 -1840
data/test/schema.sql +60 -60
data/test/test_helper.rb +174 -174
data/test/test_support/minitest_compatibility.rb +26 -26
metadata +3 -9
data/gemfiles/rails4252.gemfile.lock +0 -126
data/gemfiles/rails4271.gemfile.lock +0 -126
data/gemfiles/rails507.gemfile.lock +0 -136
data/log/test.log +0 -34715
data/test/profiles/access_checking +0 -46

data/test/maintenance_test.rb CHANGED Viewed

@@ -1,46 +1,46 @@
-require 'test_helper'
-require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization maintenance})
-class MaintenanceTest < Test::Unit::TestCase
-  include Authorization::TestHelper
-  def test_usages_by_controllers
-    usage_test_controller = Class.new(ActionController::Base)
-    usage_test_controller.send(:define_method, :an_action) {}
-    usage_test_controller.filter_access_to :an_action
-    assert Authorization::Maintenance::Usage::usages_by_controller.
-              include?(usage_test_controller)
-  end
-  def test_without_access_control
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test
-        end
-      end
-    }
-    engine = Authorization::Engine.new(reader)
-    assert !engine.permit?(:test_2, :context => :permissions,
-        :user => MockUser.new(:test_role))
-    Authorization::Maintenance::without_access_control do
-      assert engine.permit!(:test_2, :context => :permissions,
-          :user => MockUser.new(:test_role))
-    end
-    without_access_control do
-      assert engine.permit?(:test_2, :context => :permissions,
-          :user => MockUser.new(:test_role))
-    end
-    Authorization::Maintenance::without_access_control do
-      Authorization::Maintenance::without_access_control do
-        assert engine.permit?(:test_2, :context => :permissions,
-            :user => MockUser.new(:test_role))
-      end
-      assert engine.permit?(:test_2, :context => :permissions,
-          :user => MockUser.new(:test_role))
-    end
-  end
-end
+require 'test_helper'
+require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization maintenance})
+class MaintenanceTest < Test::Unit::TestCase
+  include Authorization::TestHelper
+  def test_usages_by_controllers
+    usage_test_controller = Class.new(ActionController::Base)
+    usage_test_controller.send(:define_method, :an_action) {}
+    usage_test_controller.filter_access_to :an_action
+    assert Authorization::Maintenance::Usage::usages_by_controller.
+              include?(usage_test_controller)
+  end
+  def test_without_access_control
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert !engine.permit?(:test_2, :context => :permissions,
+        :user => MockUser.new(:test_role))
+    Authorization::Maintenance::without_access_control do
+      assert engine.permit!(:test_2, :context => :permissions,
+          :user => MockUser.new(:test_role))
+    end
+    without_access_control do
+      assert engine.permit?(:test_2, :context => :permissions,
+          :user => MockUser.new(:test_role))
+    end
+    Authorization::Maintenance::without_access_control do
+      Authorization::Maintenance::without_access_control do
+        assert engine.permit?(:test_2, :context => :permissions,
+            :user => MockUser.new(:test_role))
+      end
+      assert engine.permit?(:test_2, :context => :permissions,
+          :user => MockUser.new(:test_role))
+    end
+  end
+end

data/test/model_test.rb CHANGED Viewed

@@ -1,1840 +1,1840 @@
-require 'test_helper'
-require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization in_model})
-ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
-#ActiveRecord::Base.logger = Logger.new(STDOUT)
-options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
-ActiveRecord::Base.establish_connection(options)
-ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
-ActiveRecord::Base.connection
-File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
-  ActiveRecord::Base.connection.execute(sql) unless sql.blank?
-end
-class TestModel < ActiveRecord::Base
-  has_many :test_attrs
-  has_many :test_another_attrs, :class_name => "TestAttr", :foreign_key => :test_another_model_id
-  has_many :test_attr_throughs, :through => :test_attrs
-  has_one :test_attr_has_one, :class_name => "TestAttr"
-  has_many :branches
-  has_many :test_attrs_with_attr,
-           lambda { where(:attr => 1) },
-           :class_name => "TestAttr"
-  has_many :test_attr_throughs_with_attr,
-           lambda { where("test_attrs.attr = 1") },
-           :through    => :test_attrs,
-           :class_name => "TestAttrThrough", :source => :test_attr_throughs
-  has_one :test_attr_throughs_with_attr_and_has_one,
-          lambda { where("test_attrs.attr = 1") },
-          :through    => :test_attrs,
-          :class_name => "TestAttrThrough",
-          :source     => :test_attr_throughs
-  scope :with_content, lambda { where("test_models.content IS NOT NULL") }
-  # Primary key test
-  has_many :test_attrs_with_primary_id,
-           :class_name  => "TestAttr",
-           :primary_key => :test_attr_through_id,
-           :foreign_key => :test_attr_through_id
-  has_many :test_attr_throughs_with_primary_id,
-           :through    => :test_attrs_with_primary_id,
-           :class_name => "TestAttrThrough",
-           :source     => :n_way_join_item
-  # for checking for unnecessary queries
-  mattr_accessor :query_count
-  def self.find(*args)
-    self.query_count ||= 0
-    self.query_count += 1
-    super(*args)
-  end
-end
-class NWayJoinItem < ActiveRecord::Base
-  has_many :test_attrs
-  has_many :others, :through => :test_attrs, :source => :n_way_join_item
-end
-class TestAttr < ActiveRecord::Base
-  belongs_to :test_model
-  belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
-  belongs_to :test_a_third_model, :class_name => "TestModel", :foreign_key => :test_a_third_model_id
-  belongs_to :n_way_join_item
-  belongs_to :test_attr
-  belongs_to :branch
-  belongs_to :company
-  has_many :test_attr_throughs
-  has_many :test_model_security_model_with_finds
-  attr_reader :role_symbols
-  def initialize(*args)
-    @role_symbols = []
-    super(*args)
-  end
-end
-class TestAttrThrough < ActiveRecord::Base
-  belongs_to :test_attr
-end
-class TestModelSecurityModel < ActiveRecord::Base
-  has_many :test_attrs
-  using_access_control
-end
-class TestModelSecurityModelWithFind < ActiveRecord::Base
-  self.table_name = 'test_model_security_models'
-  has_many :test_attrs
-  belongs_to :test_attr
-  using_access_control :include_read => true,
-                       :context      => :test_model_security_models
-end
-class Branch < ActiveRecord::Base
-  has_many :test_attrs
-  belongs_to :company
-  belongs_to :test_model
-end
-class Company < ActiveRecord::Base
-  has_many :test_attrs
-  has_many :branches
-  belongs_to :country
-end
-class SmallCompany < Company
-  def self.decl_auth_context
-    :companies
-  end
-end
-class Country < ActiveRecord::Base
-  has_many :test_models
-  has_many :companies
-end
-class NamedScopeModelTest < Test::Unit::TestCase
-  def test_multiple_deep_ored_belongs_to
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => {:test_attrs => contains {user}}
-            if_attribute :test_another_model => {:test_attrs => contains {user}}
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
-                      :test_another_model_id => test_model_2.id
-    user = MockUser.new(:test_role, :id => test_attr_1)
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_attrs_test_models, :test_attrs_test_models_2).length
-    TestAttr.delete_all
-    TestModel.delete_all
-  end
-  def test_with_belongs_to_and_has_many_with_contains
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_attr_1 = TestAttr.create!
-    test_model_1 = TestModel.create!
-    test_model_1.test_attrs.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
-    assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
-    assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
-    assert_raise Authorization::NotAuthorized do
-      TestAttr.with_permissions_to( :update_test_attrs, :user => user )
-    end
-    TestAttr.delete_all
-    TestModel.delete_all
-  end
-  def test_with_nested_has_many
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :companies, :to => :read do
-            if_attribute :branches => { :test_attrs => { :attr => is { user.test_attr_value } } }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    allowed_company = Company.create!
-    allowed_company.branches.create!.test_attrs.create!(:attr => 1)
-    allowed_company.branches.create!.test_attrs.create!(:attr => 2)
-    prohibited_company = Company.create!
-    prohibited_company.branches.create!.test_attrs.create!(:attr => 3)
-    user = MockUser.new(:test_role, :test_attr_value => 1)
-    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
-    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
-    assert_equal 0, Company.with_permissions_to(:read, :user => prohibited_user).length
-    Company.delete_all
-    Branch.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_nested_has_many_through
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_throughs => { :test_attr => { :attr => is { user.test_attr_value } } }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    TestModel.delete_all
-    TestAttrThrough.delete_all
-    TestAttr.delete_all
-    allowed_model = TestModel.create!
-    allowed_model.test_attrs.create!(:attr => 1).test_attr_throughs.create!
-    allowed_model.test_attrs.create!(:attr => 2).test_attr_throughs.create!
-    prohibited_model = TestModel.create!
-    prohibited_model.test_attrs.create!(:attr => 3).test_attr_throughs.create!
-    user = MockUser.new(:test_role, :test_attr_value => 1)
-    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    assert_equal 0, TestModel.with_permissions_to(:read, :user => prohibited_user).length
-    TestModel.delete_all
-    TestAttrThrough.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_is
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => is { user.test_attr_value }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    TestModel.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
-    assert_equal 1, TestModel.with_permissions_to(:read,
-      :context => :test_models, :user => user).length
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    assert_raise Authorization::NotAuthorized do
-      TestModel.with_permissions_to(:update_test_models, :user => user)
-    end
-    TestModel.delete_all
-  end
-  def test_named_scope_on_proxy
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :id => is { user.test_attr_value }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_attr_1 = test_model_1.test_attrs.create!
-    test_model_1.test_attrs.create!
-    TestAttr.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_attr_1.id)
-    assert_equal 1, test_model_1.test_attrs.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_named_scope_on_named_scope
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_through_id => 1
-          end
-          has_permission_on :test_attrs, :to => :read do
-            if_permitted_to :read, :test_model
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    country = Country.create!
-    model_1 = TestModel.create!(:test_attr_through_id => 1, :content => "Content")
-    country.test_models << model_1
-    TestModel.create!(:test_attr_through_id => 1)
-    TestModel.create!(:test_attr_through_id => 2, :content => "Content")
-    user = MockUser.new(:test_role)
-    TestModel.query_count = 0
-    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.query_count = 0
-    assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
-    TestModel.query_count = 0
-    assert_equal 1, country.test_models.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    Country.delete_all
-  end
-  def test_with_modified_context
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :companies, :to => :read do
-            if_attribute :id => is { user.test_company_id }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_company = SmallCompany.create!
-    user = MockUser.new(:test_role, :test_company_id => test_company.id)
-    assert_equal 1, SmallCompany.with_permissions_to(:read,
-      :user => user).length
-    SmallCompany.delete_all
-  end
-  def test_with_is_nil
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :content => nil
-          end
-        end
-        role :test_role_not_nil do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :content => is_not { nil }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create! :content => "Content"
-    assert_equal test_model_1, TestModel.with_permissions_to(:read,
-      :context => :test_models, :user => MockUser.new(:test_role)).first
-    assert_equal test_model_2, TestModel.with_permissions_to(:read,
-      :context => :test_models, :user => MockUser.new(:test_role_not_nil)).first
-    TestModel.delete_all
-  end
-  def test_with_not_is
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => is_not { user.test_attr_value }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    TestModel.delete_all
-    test_model_1 = TestModel.create!
-    TestModel.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-  end
-  def test_with_lt
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => lt { user.test_attr_value }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    TestModel.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
-    assert_equal 1, TestModel.with_permissions_to(:read,
-      :context => :test_models, :user => user).length
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    assert_raise Authorization::NotAuthorized do
-      TestModel.with_permissions_to(:update_test_models, :user => user)
-    end
-    TestModel.delete_all
-  end
-  def test_with_lte
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => lte { user.test_attr_value }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    2.times { TestModel.create! }
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
-    assert_equal 2, TestModel.with_permissions_to(:read,
-      :context => :test_models, :user => user).length
-    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
-    assert_raise Authorization::NotAuthorized do
-      TestModel.with_permissions_to(:update_test_models, :user => user)
-    end
-    TestModel.delete_all
-  end
-  def test_with_gt
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => gt { user.test_attr_value }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    TestModel.create!
-    test_model_1 = TestModel.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
-    assert_equal 1, TestModel.with_permissions_to(:read,
-      :context => :test_models, :user => user).length
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    assert_raise Authorization::NotAuthorized do
-      TestModel.with_permissions_to(:update_test_models, :user => user)
-    end
-    TestModel.delete_all
-  end
-  def test_with_gte
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => gte { user.test_attr_value }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    2.times { TestModel.create! }
-    test_model_1 = TestModel.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
-    assert_equal 2, TestModel.with_permissions_to(:read,
-      :context => :test_models, :user => user).length
-    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
-    assert_raise Authorization::NotAuthorized do
-      TestModel.with_permissions_to(:update_test_models, :user => user)
-    end
-    TestModel.delete_all
-  end
-  def test_with_empty_obligations
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    TestModel.create!
-    user = MockUser.new(:test_role)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    assert_raise Authorization::NotAuthorized do
-      TestModel.with_permissions_to(:update, :user => user)
-    end
-    TestModel.delete_all
-  end
-  def test_multiple_obligations
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => is { user.test_attr_value }
-          end
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => is { user.test_attr_value_2 }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
-                        :test_attr_value_2 => test_model_2.id)
-    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-  end
-  def test_multiple_roles
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :attr => [1,2]
-          end
-        end
-        role :test_role_2 do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :attr => [2,3]
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    TestAttr.create! :attr => 1
-    TestAttr.create! :attr => 2
-    TestAttr.create! :attr => 3
-    user = MockUser.new(:test_role)
-    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
-    TestAttr.delete_all
-  end
-  def test_multiple_and_empty_obligations
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => is { user.test_attr_value }
-          end
-          has_permission_on :test_models, :to => :read
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    TestModel.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
-    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-  end
-  def test_multiple_attributes
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => is { user.test_attr_value }, :content => "bla"
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create! :content => 'bla'
-    TestModel.create! :content => 'bla'
-    TestModel.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-  end
-  def test_multiple_belongs_to
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => is {user}
-            if_attribute :test_another_model => is {user}
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
-    user = MockUser.new(:test_role, :id => 1)
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
-    TestAttr.delete_all
-  end
-  def test_with_is_and_priv_hierarchy
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      privileges do
-        privilege :read do
-          includes :list, :show
-        end
-      end
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :id => is { user.test_attr_value }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    TestModel.create!
-    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
-    assert_equal 1, TestModel.with_permissions_to(:list,
-      :context => :test_models, :user => user).length
-    assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
-    TestModel.delete_all
-  end
-  def test_with_is_and_belongs_to
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => is { user.test_model }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_1.test_attrs.create!
-    TestModel.create!.test_attrs.create!
-    user = MockUser.new(:test_role, :test_model => test_model_1)
-    assert_equal 1, TestAttr.with_permissions_to(:read,
-      :context => :test_attrs, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_deep_attribute
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => {:id => is { user.test_model_id } }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_1.test_attrs.create!
-    TestModel.create!.test_attrs.create!
-    user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
-    assert_equal 1, TestAttr.with_permissions_to(:read,
-      :context => :test_attrs, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_multiple_conditions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => {:content => is { "pickle" } }
-            if_attribute :test_model => {:content => is { "hotdog" } }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!(content: "pickle")
-    test_model_1.test_attrs.create!
-    TestModel.create!.test_attrs.create!
-    user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
-    assert_equal 1, TestAttr.with_permissions_to(:read,
-      :context => :test_attrs, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_anded_rules
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read, :join_by => :and do
-            if_attribute :test_model => is { user.test_model }
-            if_attribute :attr => 1
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_1.test_attrs.create!(:attr => 1)
-    TestModel.create!.test_attrs.create!(:attr => 1)
-    TestModel.create!.test_attrs.create!
-    user = MockUser.new(:test_role, :test_model => test_model_1)
-    assert_equal 1, TestAttr.with_permissions_to(:read,
-      :context => :test_attrs, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_contains
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attrs => contains { user }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_model_1.test_attrs.create!
-    test_model_1.test_attrs.create!
-    test_model_2.test_attrs.create!
-    user = MockUser.new(:test_role,
-                        :id => test_model_1.test_attrs.first.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).where(:id => test_model_1.id).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_does_not_contain
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attrs => does_not_contain { user }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_model_1.test_attrs.create!
-    test_model_2.test_attrs.create!
-    user = MockUser.new(:test_role,
-                        :id => test_model_1.test_attrs.first.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_contains_conditions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attrs_with_attr => contains { user }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_model_1.test_attrs_with_attr.create!
-    test_model_1.test_attrs.create!(:attr => 2)
-    test_model_2.test_attrs_with_attr.create!
-    test_model_2.test_attrs.create!(:attr => 2)
-    #assert_equal 1, test_model_1.test_attrs_with_attr.length
-    user = MockUser.new(:test_role,
-                        :id => test_model_1.test_attrs.first.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    user = MockUser.new(:test_role,
-                        :id => test_model_1.test_attrs.last.id)
-    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_contains_through_primary_key
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_throughs_with_primary_id => contains { user }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    TestModel.delete_all
-    TestAttrThrough.delete_all
-    TestAttr.delete_all
-    test_attr_through_1 = TestAttrThrough.create!
-    test_item = NWayJoinItem.create!
-    test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
-    test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
-        :n_way_join_item_id => test_item.id)
-    user = MockUser.new(:test_role,
-                        :id => test_attr_through_1.id)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttrThrough.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_intersects_with
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attrs => intersects_with { user.test_attrs }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_model_1.test_attrs.create!
-    test_model_1.test_attrs.create!
-    test_model_1.test_attrs.create!
-    test_model_2.test_attrs.create!
-    user = MockUser.new(:test_role,
-                        :test_attrs => [test_model_1.test_attrs.first, TestAttr.create!])
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    user = MockUser.new(:test_role,
-                        :test_attrs => [TestAttr.create!])
-    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_is_and_has_one
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do :test_attr_has_one
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_has_one => is { user.test_attr }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_attr_1 = test_model_1.test_attrs.create!
-    TestModel.create!.test_attrs.create!
-    user = MockUser.new(:test_role, :test_attr => test_attr_1)
-    assert_equal 1, TestModel.with_permissions_to(:read,
-      :context => :test_models, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_is_in
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_model_1.test_attrs.create!
-    TestModel.create!.test_attrs.create!
-    user = MockUser.new(:test_role, :test_model => test_model_1,
-      :test_model_2 => test_model_2)
-    assert_equal 1, TestAttr.with_permissions_to(:read,
-      :context => :test_attrs, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_not_is_in
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    TestModel.delete_all
-    TestAttr.delete_all
-    test_model_1 = TestModel.create!
-    test_model_2 = TestModel.create!
-    test_model_1.test_attrs.create!
-    TestModel.create!.test_attrs.create!
-    user = MockUser.new(:test_role, :test_model => test_model_1,
-      :test_model_2 => test_model_2)
-    assert_equal 1, TestAttr.with_permissions_to(:read,
-      :context => :test_attrs, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_if_permitted_to
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attrs => contains { user }
-          end
-          has_permission_on :test_attrs, :to => :read do
-            if_permitted_to :read, :test_model
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_attr_1 = test_model_1.test_attrs.create!
-    user = MockUser.new(:test_role, :id => test_attr_1.id)
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_anded_if_permitted_to
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :base_role do
-          has_permission_on :test_attrs, :to => :read, :join_by => :and do
-            if_permitted_to :read, :test_model
-            if_attribute :attr => 1
-          end
-        end
-        role :first_role do
-          includes :base_role
-          has_permission_on :test_models, :to => :read do
-            if_attribute :content => "first test"
-          end
-        end
-        role :second_role do
-          includes :base_role
-          has_permission_on :test_models, :to => :read do
-            if_attribute :country_id => 2
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!(:content => "first test")
-    test_model_1.test_attrs.create!(:attr => 1)
-    test_model_for_second_role = TestModel.create!(:country_id => 2)
-    test_model_for_second_role.test_attrs.create!(:attr => 1)
-    test_model_for_second_role.test_attrs.create!(:attr => 2)
-    user = MockUser.new(:first_role)
-    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user)
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
-    user_with_both_roles = MockUser.new(:first_role, :second_role)
-    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user_with_both_roles)
-    assert Authorization::Engine.instance.permit?(:read, :object => test_model_for_second_role.test_attrs.first, :user => user_with_both_roles)
-    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user_with_both_roles).references(:test_attrs, :test_models).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_if_permitted_to_with_no_child_permissions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :another_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attrs => contains { user }
-          end
-        end
-        role :additional_if_attribute do
-          has_permission_on :test_attrs, :to => :read do
-            if_permitted_to :read, :test_model
-            if_attribute :test_model => {:test_attrs => contains { user }}
-          end
-        end
-        role :only_permitted_to do
-          has_permission_on :test_attrs, :to => :read do
-            if_permitted_to :read, :test_model
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_attr_1 = test_model_1.test_attrs.create!
-    user = MockUser.new(:only_permitted_to, :another_role, :id => test_attr_1.id)
-    also_allowed_user = MockUser.new(:additional_if_attribute, :id => test_attr_1.id)
-    non_allowed_user = MockUser.new(:only_permitted_to, :id => test_attr_1.id)
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => also_allowed_user).length
-    assert_raise Authorization::NotAuthorized do
-      TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
-    end
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_if_permitted_to_with_context_from_model
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_another_attrs => contains { user }
-          end
-          has_permission_on :test_attrs, :to => :read do
-            if_permitted_to :read, :test_another_model
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_attr_1 = test_model_1.test_another_attrs.create!
-    user = MockUser.new(:test_role, :id => test_attr_1.id)
-    non_allowed_user = MockUser.new(:test_role, :id => 111)
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
-    assert_equal 0, TestAttr.with_permissions_to(:read, :user => non_allowed_user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_has_many_if_permitted_to
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_permitted_to :read, :test_attrs
-          end
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :attr => is { user.id }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_attr_1 = test_model_1.test_attrs.create!(:attr => 111)
-    user = MockUser.new(:test_role, :id => test_attr_1.attr)
-    non_allowed_user = MockUser.new(:test_role, :id => 333)
-    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
-    assert_equal 0, TestModel.with_permissions_to(:read, :user => non_allowed_user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_deep_has_many_if_permitted_to
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :branches, :to => :read do
-            if_attribute :name => "A Branch"
-          end
-          has_permission_on :companies, :to => :read do
-            if_permitted_to :read, :test_attrs => :branch
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    readable_company = Company.create!
-    readable_company.test_attrs.create!(:branch => Branch.create!(:name => "A Branch"))
-    forbidden_company = Company.create!
-    forbidden_company.test_attrs.create!(:branch => Branch.create!(:name => "Different Branch"))
-    user = MockUser.new(:test_role)
-    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
-    Company.delete_all
-    Branch.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_if_permitted_to_and_empty_obligations
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read
-          has_permission_on :test_attrs, :to => :read do
-            if_permitted_to :read, :test_model
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_attr_1 = test_model_1.test_attrs.create!
-    user = MockUser.new(:test_role)
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_if_permitted_to_nil
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attrs => contains { user }
-          end
-          has_permission_on :test_attrs, :to => :read do
-            if_permitted_to :read, :test_model
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_attr_1 = TestAttr.create!
-    user = MockUser.new(:test_role, :id => test_attr_1.id)
-    assert_equal 0, TestAttr.with_permissions_to(:read, :user => user).length
-    TestAttr.delete_all
-  end
-  def test_with_if_permitted_to_self
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attrs => contains { user }
-          end
-          has_permission_on :test_models, :to => :update do
-            if_permitted_to :read
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_model_1 = TestModel.create!
-    test_attr_1 = test_model_1.test_attrs.create!
-    test_attr_2 = TestAttr.create!
-    user = MockUser.new(:test_role, :id => test_attr_1.id)
-    assert_equal 1, TestModel.with_permissions_to(:update, :user => user).length
-    TestAttr.delete_all
-    TestModel.delete_all
-  end
-  def test_with_has_many_and_reoccuring_tables
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_another_model => { :content => 'test_1_2' },
-                :test_model => { :content => 'test_1_1' }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_attr_1 = TestAttr.create!(
-        :test_model => TestModel.create!(:content => 'test_1_1'),
-        :test_another_model => TestModel.create!(:content => 'test_1_2')
-      )
-    test_attr_2 = TestAttr.create!(
-        :test_model => TestModel.create!(:content => 'test_2_1'),
-        :test_another_model => TestModel.create!(:content => 'test_2_2')
-      )
-    user = MockUser.new(:test_role)
-    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_ored_rules_and_reoccuring_tables
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_another_model => { :content => 'test_1_2' },
-                :test_model => { :content => 'test_1_1' }
-          end
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_another_model => { :content => 'test_2_2' },
-                :test_model => { :test_attrs => contains {user.test_attr} }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_attr_1 = TestAttr.create!(
-        :test_model => TestModel.create!(:content => 'test_1_1'),
-        :test_another_model => TestModel.create!(:content => 'test_1_2')
-      )
-    test_attr_2 = TestAttr.create!(
-        :test_model => TestModel.create!(:content => 'test_2_1'),
-        :test_another_model => TestModel.create!(:content => 'test_2_2')
-      )
-    test_attr_2.test_model.test_attrs.create!
-    user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
-    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_test_attrs, :test_attrs_test_models).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_with_many_ored_rules_and_reoccuring_tables
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :branch => { :company => { :country => {
-                :test_models => contains { user.test_model }
-              }} }
-            if_attribute :company => { :country => {
-                :test_models => contains { user.test_model }
-              }}
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    country = Country.create!(:name => 'country_1')
-    country.test_models.create!
-    test_attr_1 = TestAttr.create!(
-        :branch => Branch.create!(:name => 'branch_1',
-            :company => Company.create!(:name => 'company_1',
-                :country => country))
-      )
-    test_attr_2 = TestAttr.create!(
-        :company => Company.create!(:name => 'company_2',
-            :country => country)
-      )
-    user = MockUser.new(:test_role, :test_model => country.test_models.first)
-    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_countries).length
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-end
-class ModelTest < Test::Unit::TestCase
-  def test_permit_with_has_one_raises_no_name_error
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do :test_attr_has_one
-        role :test_role do
-          has_permission_on :test_attrs, :to => :update do
-            if_attribute :id => is { user.test_attr.id }
-          end
-        end
-      end
-    }
-    instance = Authorization::Engine.instance(reader)
-    test_model = TestModel.create!
-    test_attr = test_model.create_test_attr_has_one
-    assert !test_attr.new_record?
-    user = MockUser.new(:test_role, :test_attr => test_attr)
-    assert_nothing_raised do
-      assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
-    end
-    TestModel.delete_all
-    TestAttr.delete_all
-  end
-  def test_model_security_write_allowed
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-            if_attribute :attr => is { 1 }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    Authorization.stub :current_user, MockUser.new(:test_role) do
-      assert(object = TestModelSecurityModel.create)
-      assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
-      object.reload
-      assert_equal 2, object.attr_2
-      object.destroy
-      assert_raise ActiveRecord::RecordNotFound do
-        TestModelSecurityModel.find(object.id)
-      end
-    end
-  end
-  def test_model_security_write_not_allowed_no_privilege
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-            if_attribute :attr => is { 1 }
-          end
-        end
-        role :test_role_restricted do
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    Authorization.current_user = MockUser.new(:test_role)
-    assert(object = TestModelSecurityModel.create)
-    Authorization.current_user = MockUser.new(:test_role_restricted)
-    assert_raise Authorization::NotAuthorized do
-      object.update_attributes(:attr_2 => 2)
-    end
-  end
-  def test_model_security_write_not_allowed_wrong_attribute_value
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role_unrestricted do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-          end
-        end
-        role :test_role do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-            if_attribute :attr => is { 1 }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    Authorization.stub :current_user, MockUser.new(:test_role) do
-      assert(object = TestModelSecurityModel.create)
-      assert_raise Authorization::AttributeAuthorizationError do
-        TestModelSecurityModel.create :attr => 2
-      end
-      object = TestModelSecurityModel.create
-      assert_raise Authorization::AttributeAuthorizationError do
-        object.update_attributes(:attr => 2)
-      end
-      object.reload
-      assert_nothing_raised do
-        object.update_attributes(:attr_2 => 1)
-      end
-      assert_raise Authorization::AttributeAuthorizationError do
-        object.update_attributes(:attr => 2)
-      end
-    end
-  end
-  def test_model_security_with_and_without_find_restrictions
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role_unrestricted do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-          end
-        end
-        role :test_role do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-            if_attribute :attr => is { 1 }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    Authorization.current_user = MockUser.new(:test_role_unrestricted)
-    object = TestModelSecurityModel.create :attr => 2
-    object_with_find = TestModelSecurityModelWithFind.create :attr => 2
-    Authorization.current_user = MockUser.new(:test_role)
-    assert_nothing_raised do
-      object.class.find(object.id)
-    end
-    assert_raise Authorization::AttributeAuthorizationError do
-      object_with_find.class.find(object_with_find.id)
-    end
-  end
-  def test_model_security_with_read_restrictions_and_exists
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-            if_attribute :test_attr => is { user.test_attr }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_attr = TestAttr.create
-    Authorization.stub :current_user, MockUser.new(:test_role, :test_attr => test_attr) do
-      object_with_find = TestModelSecurityModelWithFind.create :test_attr => test_attr
-      assert_nothing_raised do
-        object_with_find.class.find(object_with_find.id)
-      end
-      assert_equal 1, test_attr.test_model_security_model_with_finds.length
-    end
-  end
-  def test_model_security_delete_unallowed
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role_unrestricted do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-          end
-        end
-        role :test_role do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-            if_attribute :attr => is { 1 }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    Authorization.current_user = MockUser.new(:test_role_unrestricted)
-    object = TestModelSecurityModel.create :attr => 2
-    Authorization.current_user = MockUser.new(:test_role)
-    assert_raise Authorization::AttributeAuthorizationError do
-      object.destroy
-    end
-  end
-  def test_model_security_changing_critical_attribute_unallowed
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role_unrestricted do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-          end
-        end
-        role :test_role do
-          has_permission_on :test_model_security_models do
-            to :read, :create, :update, :delete
-            if_attribute :attr => is { 1 }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    Authorization.stub :current_user, MockUser.new(:test_role_unrestricted) do
-      object = TestModelSecurityModel.create :attr => 2
-    end
-  end
-  def test_model_security_no_role_unallowed
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-      end
-    }
-    Authorization::Engine.instance(reader)
-    Authorization.stub :current_user, MockUser.new(:test_role_2) do
-      assert_raise Authorization::NotAuthorized do
-        TestModelSecurityModel.create
-      end
-    end
-  end
-  def test_model_security_with_assoc
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_model_security_models do
-            to :create, :update, :delete
-            if_attribute :test_attrs => contains { user }
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    test_attr = TestAttr.create
-    test_attr.role_symbols << :test_role
-    Authorization.stub :current_user, test_attr do
-      assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
-      assert_nothing_raised do
-        object.update_attributes(:attr_2 => 2)
-      end
-      without_access_control do
-        object.reload
-      end
-      assert_equal 2, object.attr_2
-      object.destroy
-      assert_raise ActiveRecord::RecordNotFound do
-        TestModelSecurityModel.find(object.id)
-      end
-    end
-  end
-  def test_model_security_with_update_attrbributes
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_model_security_models, :to => :update do
-            if_attribute :test_attrs => { :branch => is { user.branch }}
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    params = {
-      :model_data => { :attr => 11 }
-    }
-    test_attr = TestAttr.create!(:branch => Branch.create!)
-    test_model = without_access_control do
-      TestModelSecurityModel.create!(:test_attrs => [test_attr])
-    end
-    with_user MockUser.new(:test_role, :branch => test_attr.branch) do
-      assert_nothing_raised do
-        test_model.update_attributes(params[:model_data])
-      end
-    end
-    without_access_control do
-      assert_equal params[:model_data][:attr], test_model.reload.attr
-    end
-    TestAttr.delete_all
-    TestModelSecurityModel.delete_all
-    Branch.delete_all
-  end
-  def test_using_access_control
-    assert !TestModel.using_access_control?
-    assert TestModelSecurityModel.using_access_control?
-  end
-  def test_authorization_permit_association_proxy
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :test_attrs, :to => :read do
-            if_attribute :test_model => {:content => "content" }
-          end
-        end
-      end
-    }
-    engine = Authorization::Engine.instance(reader)
-    test_model = TestModel.create(:content => "content")
-    assert engine.permit?(:read, :object => test_model.test_attrs,
-                          :user => MockUser.new(:test_role))
-    assert !engine.permit?(:read, :object => TestAttr.new,
-                          :user => MockUser.new(:test_role))
-    TestModel.delete_all
-  end
-  def test_authorization_permit_nested_association_proxy
-   reader = Authorization::Reader::DSLReader.new
-   reader.parse %{
-     authorization do
-       role :test_role do
-         has_permission_on :branches, :to => :read do
-           if_attribute :test_model => { :test_attrs => {:attr => 1 } }
-         end
-       end
-     end
-   }
-   engine = Authorization::Engine.instance(reader)
-   test_model = TestModel.create!
-   test_model.test_attrs.create!(:attr => 0)
-   test_attr = test_model.test_attrs.create!(:attr => 1)
-   test_model.test_attrs.create!(:attr => 3)
-   test_branch = Branch.create!(:test_model => test_model)
-   test_model_2 = TestModel.create!
-   test_attr_2 = test_model_2.test_attrs.create!(:attr => 2)
-   test_branch_2 = Branch.create!(:test_model => test_model_2)
-   test_model_3 = TestModel.create!
-   test_branch_3 = Branch.create!(:test_model => test_model_3)
-   assert engine.permit?(:read, :object => test_branch,
-                         :user => MockUser.new(:test_role))
-   assert !engine.permit?(:read, :object => test_branch_2,
-                         :user => MockUser.new(:test_role))
-   assert !engine.permit?(:read, :object => test_branch_3,
-                         :user => MockUser.new(:test_role))
-   TestModel.delete_all
-   Branch.delete_all
-   TestAttr.delete_all
-  end
-  def test_multiple_roles_with_has_many_through
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role_1 do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
-                :content => 'test_1'
-          end
-        end
-        role :test_role_2 do
-          has_permission_on :test_models, :to => :read do
-            if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
-                :content => 'test_2'
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    TestModel.delete_all
-    TestAttr.delete_all
-    TestAttrThrough.delete_all
-    test_model_1 = TestModel.create! :content => 'test_1'
-    test_model_2 = TestModel.create! :content => 'test_2'
-    test_model_1.test_attrs.create!.test_attr_throughs.create!
-    test_model_2.test_attrs.create!.test_attr_throughs.create!
-    user = MockUser.new(:test_role_1, :test_role_2,
-        :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
-        :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
-    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).references(:test_models, :test_attr_throughs).length
-    TestModel.delete_all
-    TestAttr.delete_all
-    TestAttrThrough.delete_all
-  end
-  def test_model_permitted_to
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :companies, :to => :read do
-            if_attribute :name => "company_1"
-          end
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    user = MockUser.new(:test_role)
-    allowed_read_company = Company.new(:name => 'company_1')
-    prohibited_company = Company.new(:name => 'company_2')
-    assert allowed_read_company.permitted_to?(:read, :user => user)
-    assert !allowed_read_company.permitted_to?(:update, :user => user)
-    assert !prohibited_company.permitted_to?(:read, :user => user)
-    executed_block = false
-    allowed_read_company.permitted_to?(:read, :user => user) do
-      executed_block = true
-    end
-    assert executed_block
-    executed_block = false
-    prohibited_company.permitted_to?(:read, :user => user) do
-      executed_block = true
-    end
-    assert !executed_block
-    assert_nothing_raised do
-      allowed_read_company.permitted_to!(:read, :user => user)
-    end
-    assert_raise Authorization::NotAuthorized do
-      prohibited_company.permitted_to!(:update, :user => user)
-    end
-    assert_raise Authorization::AttributeAuthorizationError do
-      prohibited_company.permitted_to!(:read, :user => user)
-    end
-  end
-  def test_model_permitted_to_with_modified_context
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse %{
-      authorization do
-        role :test_role do
-          has_permission_on :companies, :to => :read
-        end
-      end
-    }
-    Authorization::Engine.instance(reader)
-    user = MockUser.new(:test_role)
-    allowed_read_company = SmallCompany.new(:name => 'small_company_1')
-    assert allowed_read_company.permitted_to?(:read, :user => user)
-    assert !allowed_read_company.permitted_to?(:update, :user => user)
-  end
-end
+require 'test_helper'
+require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization in_model})
+ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
+#ActiveRecord::Base.logger = Logger.new(STDOUT)
+options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
+ActiveRecord::Base.establish_connection(options)
+ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
+ActiveRecord::Base.connection
+File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
+  ActiveRecord::Base.connection.execute(sql) unless sql.blank?
+end
+class TestModel < ActiveRecord::Base
+  has_many :test_attrs
+  has_many :test_another_attrs, :class_name => "TestAttr", :foreign_key => :test_another_model_id
+  has_many :test_attr_throughs, :through => :test_attrs
+  has_one :test_attr_has_one, :class_name => "TestAttr"
+  has_many :branches
+  has_many :test_attrs_with_attr,
+           lambda { where(:attr => 1) },
+           :class_name => "TestAttr"
+  has_many :test_attr_throughs_with_attr,
+           lambda { where("test_attrs.attr = 1") },
+           :through    => :test_attrs,
+           :class_name => "TestAttrThrough", :source => :test_attr_throughs
+  has_one :test_attr_throughs_with_attr_and_has_one,
+          lambda { where("test_attrs.attr = 1") },
+          :through    => :test_attrs,
+          :class_name => "TestAttrThrough",
+          :source     => :test_attr_throughs
+  scope :with_content, lambda { where("test_models.content IS NOT NULL") }
+  # Primary key test
+  has_many :test_attrs_with_primary_id,
+           :class_name  => "TestAttr",
+           :primary_key => :test_attr_through_id,
+           :foreign_key => :test_attr_through_id
+  has_many :test_attr_throughs_with_primary_id,
+           :through    => :test_attrs_with_primary_id,
+           :class_name => "TestAttrThrough",
+           :source     => :n_way_join_item
+  # for checking for unnecessary queries
+  mattr_accessor :query_count
+  def self.find(*args)
+    self.query_count ||= 0
+    self.query_count += 1
+    super(*args)
+  end
+end
+class NWayJoinItem < ActiveRecord::Base
+  has_many :test_attrs
+  has_many :others, :through => :test_attrs, :source => :n_way_join_item
+end
+class TestAttr < ActiveRecord::Base
+  belongs_to :test_model
+  belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
+  belongs_to :test_a_third_model, :class_name => "TestModel", :foreign_key => :test_a_third_model_id
+  belongs_to :n_way_join_item
+  belongs_to :test_attr
+  belongs_to :branch
+  belongs_to :company
+  has_many :test_attr_throughs
+  has_many :test_model_security_model_with_finds
+  attr_reader :role_symbols
+  def initialize(*args)
+    @role_symbols = []
+    super(*args)
+  end
+end
+class TestAttrThrough < ActiveRecord::Base
+  belongs_to :test_attr
+end
+class TestModelSecurityModel < ActiveRecord::Base
+  has_many :test_attrs
+  using_access_control
+end
+class TestModelSecurityModelWithFind < ActiveRecord::Base
+  self.table_name = 'test_model_security_models'
+  has_many :test_attrs
+  belongs_to :test_attr
+  using_access_control :include_read => true,
+                       :context      => :test_model_security_models
+end
+class Branch < ActiveRecord::Base
+  has_many :test_attrs
+  belongs_to :company
+  belongs_to :test_model
+end
+class Company < ActiveRecord::Base
+  has_many :test_attrs
+  has_many :branches
+  belongs_to :country
+end
+class SmallCompany < Company
+  def self.decl_auth_context
+    :companies
+  end
+end
+class Country < ActiveRecord::Base
+  has_many :test_models
+  has_many :companies
+end
+class NamedScopeModelTest < Test::Unit::TestCase
+  def test_multiple_deep_ored_belongs_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:test_attrs => contains {user}}
+            if_attribute :test_another_model => {:test_attrs => contains {user}}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
+                      :test_another_model_id => test_model_2.id
+    user = MockUser.new(:test_role, :id => test_attr_1)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_attrs_test_models, :test_attrs_test_models_2).length
+    TestAttr.delete_all
+    TestModel.delete_all
+  end
+  def test_with_belongs_to_and_has_many_with_contains
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
+    assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
+    assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
+    assert_raise Authorization::NotAuthorized do
+      TestAttr.with_permissions_to( :update_test_attrs, :user => user )
+    end
+    TestAttr.delete_all
+    TestModel.delete_all
+  end
+  def test_with_nested_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :branches => { :test_attrs => { :attr => is { user.test_attr_value } } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    allowed_company = Company.create!
+    allowed_company.branches.create!.test_attrs.create!(:attr => 1)
+    allowed_company.branches.create!.test_attrs.create!(:attr => 2)
+    prohibited_company = Company.create!
+    prohibited_company.branches.create!.test_attrs.create!(:attr => 3)
+    user = MockUser.new(:test_role, :test_attr_value => 1)
+    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
+    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
+    assert_equal 0, Company.with_permissions_to(:read, :user => prohibited_user).length
+    Company.delete_all
+    Branch.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_nested_has_many_through
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs => { :test_attr => { :attr => is { user.test_attr_value } } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttrThrough.delete_all
+    TestAttr.delete_all
+    allowed_model = TestModel.create!
+    allowed_model.test_attrs.create!(:attr => 1).test_attr_throughs.create!
+    allowed_model.test_attrs.create!(:attr => 2).test_attr_throughs.create!
+    prohibited_model = TestModel.create!
+    prohibited_model.test_attrs.create!(:attr => 3).test_attr_throughs.create!
+    user = MockUser.new(:test_role, :test_attr_value => 1)
+    prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => prohibited_user).length
+    TestModel.delete_all
+    TestAttrThrough.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_is
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_named_scope_on_proxy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    TestAttr.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_attr_1.id)
+    assert_equal 1, test_model_1.test_attrs.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_named_scope_on_named_scope
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_through_id => 1
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    country = Country.create!
+    model_1 = TestModel.create!(:test_attr_through_id => 1, :content => "Content")
+    country.test_models << model_1
+    TestModel.create!(:test_attr_through_id => 1)
+    TestModel.create!(:test_attr_through_id => 2, :content => "Content")
+    user = MockUser.new(:test_role)
+    TestModel.query_count = 0
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.query_count = 0
+    assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
+    TestModel.query_count = 0
+    assert_equal 1, country.test_models.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    Country.delete_all
+  end
+  def test_with_modified_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :id => is { user.test_company_id }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_company = SmallCompany.create!
+    user = MockUser.new(:test_role, :test_company_id => test_company.id)
+    assert_equal 1, SmallCompany.with_permissions_to(:read,
+      :user => user).length
+    SmallCompany.delete_all
+  end
+  def test_with_is_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => nil
+          end
+        end
+        role :test_role_not_nil do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => is_not { nil }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create! :content => "Content"
+    assert_equal test_model_1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => MockUser.new(:test_role)).first
+    assert_equal test_model_2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => MockUser.new(:test_role_not_nil)).first
+    TestModel.delete_all
+  end
+  def test_with_not_is
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is_not { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_with_lt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => lt { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_lte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => lte { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    2.times { TestModel.create! }
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
+    assert_equal 2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_gt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => gt { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.create!
+    test_model_1 = TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_gte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => gte { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    2.times { TestModel.create! }
+    test_model_1 = TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
+    assert_equal 2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update_test_models, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_with_empty_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.create!
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_raise Authorization::NotAuthorized do
+      TestModel.with_permissions_to(:update, :user => user)
+    end
+    TestModel.delete_all
+  end
+  def test_multiple_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value_2 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
+                        :test_attr_value_2 => test_model_2.id)
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_multiple_roles
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => [1,2]
+          end
+        end
+        role :test_role_2 do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => [2,3]
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestAttr.create! :attr => 1
+    TestAttr.create! :attr => 2
+    TestAttr.create! :attr => 3
+    user = MockUser.new(:test_role)
+    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
+    TestAttr.delete_all
+  end
+  def test_multiple_and_empty_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+          has_permission_on :test_models, :to => :read
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_multiple_attributes
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }, :content => "bla"
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create! :content => 'bla'
+    TestModel.create! :content => 'bla'
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+  end
+  def test_multiple_belongs_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is {user}
+            if_attribute :test_another_model => is {user}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
+    user = MockUser.new(:test_role, :id => 1)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestAttr.delete_all
+  end
+  def test_with_is_and_priv_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :read do
+          includes :list, :show
+        end
+      end
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :id => is { user.test_attr_value }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    TestModel.create!
+    user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:list,
+      :context => :test_models, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
+    TestModel.delete_all
+  end
+  def test_with_is_and_belongs_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is { user.test_model }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_deep_attribute
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:id => is { user.test_model_id } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_multiple_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:content => is { "pickle" } }
+            if_attribute :test_model => {:content => is { "hotdog" } }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!(content: "pickle")
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_anded_rules
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read, :join_by => :and do
+            if_attribute :test_model => is { user.test_model }
+            if_attribute :attr => 1
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_1.test_attrs.create!(:attr => 1)
+    TestModel.create!.test_attrs.create!(:attr => 1)
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_contains
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    test_model_2.test_attrs.create!
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.first.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).where(:id => test_model_1.id).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_does_not_contain
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => does_not_contain { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    test_model_2.test_attrs.create!
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.first.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_contains_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs_with_attr => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs_with_attr.create!
+    test_model_1.test_attrs.create!(:attr => 2)
+    test_model_2.test_attrs_with_attr.create!
+    test_model_2.test_attrs.create!(:attr => 2)
+    #assert_equal 1, test_model_1.test_attrs_with_attr.length
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.first.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    user = MockUser.new(:test_role,
+                        :id => test_model_1.test_attrs.last.id)
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_contains_through_primary_key
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs_with_primary_id => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttrThrough.delete_all
+    TestAttr.delete_all
+    test_attr_through_1 = TestAttrThrough.create!
+    test_item = NWayJoinItem.create!
+    test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
+    test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
+        :n_way_join_item_id => test_item.id)
+    user = MockUser.new(:test_role,
+                        :id => test_attr_through_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttrThrough.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_intersects_with
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => intersects_with { user.test_attrs }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    test_model_1.test_attrs.create!
+    test_model_2.test_attrs.create!
+    user = MockUser.new(:test_role,
+                        :test_attrs => [test_model_1.test_attrs.first, TestAttr.create!])
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    user = MockUser.new(:test_role,
+                        :test_attrs => [TestAttr.create!])
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_is_and_has_one
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do :test_attr_has_one
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_has_one => is { user.test_attr }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_attr => test_attr_1)
+    assert_equal 1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_is_in
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1,
+      :test_model_2 => test_model_2)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_not_is_in
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttr.delete_all
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create!
+    test_model_1.test_attrs.create!
+    TestModel.create!.test_attrs.create!
+    user = MockUser.new(:test_role, :test_model => test_model_1,
+      :test_model_2 => test_model_2)
+    assert_equal 1, TestAttr.with_permissions_to(:read,
+      :context => :test_attrs, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_anded_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :base_role do
+          has_permission_on :test_attrs, :to => :read, :join_by => :and do
+            if_permitted_to :read, :test_model
+            if_attribute :attr => 1
+          end
+        end
+        role :first_role do
+          includes :base_role
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => "first test"
+          end
+        end
+        role :second_role do
+          includes :base_role
+          has_permission_on :test_models, :to => :read do
+            if_attribute :country_id => 2
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!(:content => "first test")
+    test_model_1.test_attrs.create!(:attr => 1)
+    test_model_for_second_role = TestModel.create!(:country_id => 2)
+    test_model_for_second_role.test_attrs.create!(:attr => 1)
+    test_model_for_second_role.test_attrs.create!(:attr => 2)
+    user = MockUser.new(:first_role)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    user_with_both_roles = MockUser.new(:first_role, :second_role)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user_with_both_roles)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_for_second_role.test_attrs.first, :user => user_with_both_roles)
+    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user_with_both_roles).references(:test_attrs, :test_models).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_with_no_child_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :another_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+        role :additional_if_attribute do
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+            if_attribute :test_model => {:test_attrs => contains { user }}
+          end
+        end
+        role :only_permitted_to do
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    user = MockUser.new(:only_permitted_to, :another_role, :id => test_attr_1.id)
+    also_allowed_user = MockUser.new(:additional_if_attribute, :id => test_attr_1.id)
+    non_allowed_user = MockUser.new(:only_permitted_to, :id => test_attr_1.id)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => also_allowed_user).length
+    assert_raise Authorization::NotAuthorized do
+      TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_with_context_from_model
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_another_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_another_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_another_attrs.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    non_allowed_user = MockUser.new(:test_role, :id => 111)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestAttr.with_permissions_to(:read, :user => non_allowed_user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_has_many_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_permitted_to :read, :test_attrs
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :attr => is { user.id }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!(:attr => 111)
+    user = MockUser.new(:test_role, :id => test_attr_1.attr)
+    non_allowed_user = MockUser.new(:test_role, :id => 333)
+    assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
+    assert_equal 0, TestModel.with_permissions_to(:read, :user => non_allowed_user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_deep_has_many_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :branches, :to => :read do
+            if_attribute :name => "A Branch"
+          end
+          has_permission_on :companies, :to => :read do
+            if_permitted_to :read, :test_attrs => :branch
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    readable_company = Company.create!
+    readable_company.test_attrs.create!(:branch => Branch.create!(:name => "A Branch"))
+    forbidden_company = Company.create!
+    forbidden_company.test_attrs.create!(:branch => Branch.create!(:name => "Different Branch"))
+    user = MockUser.new(:test_role)
+    assert_equal 1, Company.with_permissions_to(:read, :user => user).length
+    Company.delete_all
+    Branch.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_and_empty_obligations
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_permitted_to :read, :test_model
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    assert_equal 0, TestAttr.with_permissions_to(:read, :user => user).length
+    TestAttr.delete_all
+  end
+  def test_with_if_permitted_to_self
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attrs => contains { user }
+          end
+          has_permission_on :test_models, :to => :update do
+            if_permitted_to :read
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_model_1 = TestModel.create!
+    test_attr_1 = test_model_1.test_attrs.create!
+    test_attr_2 = TestAttr.create!
+    user = MockUser.new(:test_role, :id => test_attr_1.id)
+    assert_equal 1, TestModel.with_permissions_to(:update, :user => user).length
+    TestAttr.delete_all
+    TestModel.delete_all
+  end
+  def test_with_has_many_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_1_2' },
+                :test_model => { :content => 'test_1_1' }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_1_1'),
+        :test_another_model => TestModel.create!(:content => 'test_1_2')
+      )
+    test_attr_2 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_2_1'),
+        :test_another_model => TestModel.create!(:content => 'test_2_2')
+      )
+    user = MockUser.new(:test_role)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_ored_rules_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_1_2' },
+                :test_model => { :content => 'test_1_1' }
+          end
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_another_model => { :content => 'test_2_2' },
+                :test_model => { :test_attrs => contains {user.test_attr} }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr_1 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_1_1'),
+        :test_another_model => TestModel.create!(:content => 'test_1_2')
+      )
+    test_attr_2 = TestAttr.create!(
+        :test_model => TestModel.create!(:content => 'test_2_1'),
+        :test_another_model => TestModel.create!(:content => 'test_2_2')
+      )
+    test_attr_2.test_model.test_attrs.create!
+    user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
+    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_test_attrs, :test_attrs_test_models).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_with_many_ored_rules_and_reoccuring_tables
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :branch => { :company => { :country => {
+                :test_models => contains { user.test_model }
+              }} }
+            if_attribute :company => { :country => {
+                :test_models => contains { user.test_model }
+              }}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    country = Country.create!(:name => 'country_1')
+    country.test_models.create!
+    test_attr_1 = TestAttr.create!(
+        :branch => Branch.create!(:name => 'branch_1',
+            :company => Company.create!(:name => 'company_1',
+                :country => country))
+      )
+    test_attr_2 = TestAttr.create!(
+        :company => Company.create!(:name => 'company_2',
+            :country => country)
+      )
+    user = MockUser.new(:test_role, :test_model => country.test_models.first)
+    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_countries).length
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+end
+class ModelTest < Test::Unit::TestCase
+  def test_permit_with_has_one_raises_no_name_error
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do :test_attr_has_one
+        role :test_role do
+          has_permission_on :test_attrs, :to => :update do
+            if_attribute :id => is { user.test_attr.id }
+          end
+        end
+      end
+    }
+    instance = Authorization::Engine.instance(reader)
+    test_model = TestModel.create!
+    test_attr = test_model.create_test_attr_has_one
+    assert !test_attr.new_record?
+    user = MockUser.new(:test_role, :test_attr => test_attr)
+    assert_nothing_raised do
+      assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
+    end
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+  def test_model_security_write_allowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.stub :current_user, MockUser.new(:test_role) do
+      assert(object = TestModelSecurityModel.create)
+      assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
+      object.reload
+      assert_equal 2, object.attr_2
+      object.destroy
+      assert_raise ActiveRecord::RecordNotFound do
+        TestModelSecurityModel.find(object.id)
+      end
+    end
+  end
+  def test_model_security_write_not_allowed_no_privilege
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+        role :test_role_restricted do
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role)
+    assert(object = TestModelSecurityModel.create)
+    Authorization.current_user = MockUser.new(:test_role_restricted)
+    assert_raise Authorization::NotAuthorized do
+      object.update_attributes(:attr_2 => 2)
+    end
+  end
+  def test_model_security_write_not_allowed_wrong_attribute_value
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.stub :current_user, MockUser.new(:test_role) do
+      assert(object = TestModelSecurityModel.create)
+      assert_raise Authorization::AttributeAuthorizationError do
+        TestModelSecurityModel.create :attr => 2
+      end
+      object = TestModelSecurityModel.create
+      assert_raise Authorization::AttributeAuthorizationError do
+        object.update_attributes(:attr => 2)
+      end
+      object.reload
+      assert_nothing_raised do
+        object.update_attributes(:attr_2 => 1)
+      end
+      assert_raise Authorization::AttributeAuthorizationError do
+        object.update_attributes(:attr => 2)
+      end
+    end
+  end
+  def test_model_security_with_and_without_find_restrictions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    object_with_find = TestModelSecurityModelWithFind.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
+    assert_nothing_raised do
+      object.class.find(object.id)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      object_with_find.class.find(object_with_find.id)
+    end
+  end
+  def test_model_security_with_read_restrictions_and_exists
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :test_attr => is { user.test_attr }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr = TestAttr.create
+    Authorization.stub :current_user, MockUser.new(:test_role, :test_attr => test_attr) do
+      object_with_find = TestModelSecurityModelWithFind.create :test_attr => test_attr
+      assert_nothing_raised do
+        object_with_find.class.find(object_with_find.id)
+      end
+      assert_equal 1, test_attr.test_model_security_model_with_finds.length
+    end
+  end
+  def test_model_security_delete_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.current_user = MockUser.new(:test_role_unrestricted)
+    object = TestModelSecurityModel.create :attr => 2
+    Authorization.current_user = MockUser.new(:test_role)
+    assert_raise Authorization::AttributeAuthorizationError do
+      object.destroy
+    end
+  end
+  def test_model_security_changing_critical_attribute_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_unrestricted do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+          end
+        end
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :attr => is { 1 }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.stub :current_user, MockUser.new(:test_role_unrestricted) do
+      object = TestModelSecurityModel.create :attr => 2
+    end
+  end
+  def test_model_security_no_role_unallowed
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+      end
+    }
+    Authorization::Engine.instance(reader)
+    Authorization.stub :current_user, MockUser.new(:test_role_2) do
+      assert_raise Authorization::NotAuthorized do
+        TestModelSecurityModel.create
+      end
+    end
+  end
+  def test_model_security_with_assoc
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :create, :update, :delete
+            if_attribute :test_attrs => contains { user }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    test_attr = TestAttr.create
+    test_attr.role_symbols << :test_role
+    Authorization.stub :current_user, test_attr do
+      assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
+      assert_nothing_raised do
+        object.update_attributes(:attr_2 => 2)
+      end
+      without_access_control do
+        object.reload
+      end
+      assert_equal 2, object.attr_2
+      object.destroy
+      assert_raise ActiveRecord::RecordNotFound do
+        TestModelSecurityModel.find(object.id)
+      end
+    end
+  end
+  def test_model_security_with_update_attrbributes
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models, :to => :update do
+            if_attribute :test_attrs => { :branch => is { user.branch }}
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    params = {
+      :model_data => { :attr => 11 }
+    }
+    test_attr = TestAttr.create!(:branch => Branch.create!)
+    test_model = without_access_control do
+      TestModelSecurityModel.create!(:test_attrs => [test_attr])
+    end
+    with_user MockUser.new(:test_role, :branch => test_attr.branch) do
+      assert_nothing_raised do
+        test_model.update_attributes(params[:model_data])
+      end
+    end
+    without_access_control do
+      assert_equal params[:model_data][:attr], test_model.reload.attr
+    end
+    TestAttr.delete_all
+    TestModelSecurityModel.delete_all
+    Branch.delete_all
+  end
+  def test_using_access_control
+    assert !TestModel.using_access_control?
+    assert TestModelSecurityModel.using_access_control?
+  end
+  def test_authorization_permit_association_proxy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_attrs, :to => :read do
+            if_attribute :test_model => {:content => "content" }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.instance(reader)
+    test_model = TestModel.create(:content => "content")
+    assert engine.permit?(:read, :object => test_model.test_attrs,
+                          :user => MockUser.new(:test_role))
+    assert !engine.permit?(:read, :object => TestAttr.new,
+                          :user => MockUser.new(:test_role))
+    TestModel.delete_all
+  end
+  def test_authorization_permit_nested_association_proxy
+   reader = Authorization::Reader::DSLReader.new
+   reader.parse %{
+     authorization do
+       role :test_role do
+         has_permission_on :branches, :to => :read do
+           if_attribute :test_model => { :test_attrs => {:attr => 1 } }
+         end
+       end
+     end
+   }
+   engine = Authorization::Engine.instance(reader)
+   test_model = TestModel.create!
+   test_model.test_attrs.create!(:attr => 0)
+   test_attr = test_model.test_attrs.create!(:attr => 1)
+   test_model.test_attrs.create!(:attr => 3)
+   test_branch = Branch.create!(:test_model => test_model)
+   test_model_2 = TestModel.create!
+   test_attr_2 = test_model_2.test_attrs.create!(:attr => 2)
+   test_branch_2 = Branch.create!(:test_model => test_model_2)
+   test_model_3 = TestModel.create!
+   test_branch_3 = Branch.create!(:test_model => test_model_3)
+   assert engine.permit?(:read, :object => test_branch,
+                         :user => MockUser.new(:test_role))
+   assert !engine.permit?(:read, :object => test_branch_2,
+                         :user => MockUser.new(:test_role))
+   assert !engine.permit?(:read, :object => test_branch_3,
+                         :user => MockUser.new(:test_role))
+   TestModel.delete_all
+   Branch.delete_all
+   TestAttr.delete_all
+  end
+  def test_multiple_roles_with_has_many_through
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role_1 do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
+                :content => 'test_1'
+          end
+        end
+        role :test_role_2 do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
+                :content => 'test_2'
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    TestModel.delete_all
+    TestAttr.delete_all
+    TestAttrThrough.delete_all
+    test_model_1 = TestModel.create! :content => 'test_1'
+    test_model_2 = TestModel.create! :content => 'test_2'
+    test_model_1.test_attrs.create!.test_attr_throughs.create!
+    test_model_2.test_attrs.create!.test_attr_throughs.create!
+    user = MockUser.new(:test_role_1, :test_role_2,
+        :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
+        :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
+    assert_equal 2, TestModel.with_permissions_to(:read, :user => user).references(:test_models, :test_attr_throughs).length
+    TestModel.delete_all
+    TestAttr.delete_all
+    TestAttrThrough.delete_all
+  end
+  def test_model_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :name => "company_1"
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    user = MockUser.new(:test_role)
+    allowed_read_company = Company.new(:name => 'company_1')
+    prohibited_company = Company.new(:name => 'company_2')
+    assert allowed_read_company.permitted_to?(:read, :user => user)
+    assert !allowed_read_company.permitted_to?(:update, :user => user)
+    assert !prohibited_company.permitted_to?(:read, :user => user)
+    executed_block = false
+    allowed_read_company.permitted_to?(:read, :user => user) do
+      executed_block = true
+    end
+    assert executed_block
+    executed_block = false
+    prohibited_company.permitted_to?(:read, :user => user) do
+      executed_block = true
+    end
+    assert !executed_block
+    assert_nothing_raised do
+      allowed_read_company.permitted_to!(:read, :user => user)
+    end
+    assert_raise Authorization::NotAuthorized do
+      prohibited_company.permitted_to!(:update, :user => user)
+    end
+    assert_raise Authorization::AttributeAuthorizationError do
+      prohibited_company.permitted_to!(:read, :user => user)
+    end
+  end
+  def test_model_permitted_to_with_modified_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+    user = MockUser.new(:test_role)
+    allowed_read_company = SmallCompany.new(:name => 'small_company_1')
+    assert allowed_read_company.permitted_to?(:read, :user => user)
+    assert !allowed_read_company.permitted_to?(:update, :user => user)
+  end
+end